Methods, systems, and computer program products are provided for glyphword-based security. Embodiments include establishing a glyphword comprising a plurality of glyphs; and creating a plurality of glyphsheets wherein each glyphsheet includes one or more glyphs included in the established glyphword and one or more glyphs not included in the established glyphword; and for each glyphsheet: presenting to a user the glyphsheet; receiving from the user at least one selection of a glyph included in the glyphsheet; determining whether the glyphsheet is the last glyphsheet if the glyph selected by the user is not included in the glyphs of the glyphword; and providing access to a resource if the glyphsheet is the last glyphsheet.
|
8. A system for glyphword-based security, the system comprising:
a computer processor;
a computer memory operatively coupled to the computer processor, the computer memory having disposed within it computer program instructions capable of:
establishing a glyphword comprising a plurality of glyphs; and
creating a plurality of glyphsheets wherein each glyphsheet includes one or more glyphs included in the established glyphword and one or more glyphs not included in the established glyphword;
and for each glyphsheet:
presenting to a user the glyphsheet;
receiving from the user at least one selection of a glyph included in the glyphsheet;
determining whether the glyphsheet is the last glyphsheet if the glyph selected by the user is not included in the glyphs of the glyphword;
providing access to a resource if the glyphsheet is the last glyphsheet; and
denying access to a resource if any of the glyphs selected by the user are included in the plurality of glyphs of the glyphword.
1. A method for glyphword-based security, the method comprising:
establishing, by a glyphword-based security module comprising a module of automated computing machinery, a glyphword comprising a plurality of glyphs; and
creating, by the glyphword-based security module, a plurality of glyphsheets wherein each glyphsheet includes one or more glyphs included in the established glyphword and one or more glyphs not included in the established glyphword;
and for each glyphsheet:
presenting by the glyphword-based security module to a user the glyphsheet;
receiving by the glyphword-based security module from the user at least one selection of a glyph included in the glyphsheet;
determining, by the glyphword-based security module, whether the glyphsheet is the last glyphsheet if the glyph selected by the user is not included in the glyphs of the glyphword;
providing, by the glyphword-based security module, access to a resource if the glyphsheet is the last glyphsheet; and
denying access to a resource if any of the glyphs selected by the user are included in the plurality of glyphs of the glyphword.
13. A computer program product for glyphword-based security, the computer program product embodied on a computer-readable recordable medium, the computer program product comprising:
computer program instructions for establishing a glyphword comprising a plurality of glyphs; and
computer program instructions for creating a plurality of glyphsheets wherein each glyphsheet includes one or more glyphs included in the established glyphword and one or more glyphs not included in the established glyphword;
and for each glyphsheet:
computer program instructions for presenting to a user the glyphsheet;
computer program instructions for receiving from the user at least one selection of a glyph included in the glyphsheet;
computer program instructions for determining whether the glyphsheet is the last glyphsheet if the glyph selected by the user is not included in the glyphs of the glyphword;
computer program instructions for providing access to a resource if the glyphsheet is the last glyphsheet; and
computer program instructions for denying access to a resource if any of the glyphs selected by the user are included in the plurality of glyphs of the glyphword.
2. The method of
3. The method of
4. The method of
selecting a glyph configuration for each glyphsheet; and
selecting one or more glyphs not included in the glyphword from a glyph database; and
including the selected glyphs in the glyphsheet according to the selected glyph configuration.
5. The method of
6. The method of
7. The method of
9. The system of
10. The system of
11. The system of
selecting a glyph configuration for each glyphsheet; and
selecting one or more glyphs not included in the glyphword from a glyph database; and
including the selected glyphs in the glyphsheet according to the selected glyph configuration.
12. The system of
14. The computer program product of
15. The computer program product of
16. The computer program product of
computer program instructions for selecting a glyph configuration for each glyphsheet; and
computer program instructions for selecting one or more glyphs not included in the glyphword from a glyph database; and
computer program instructions for including the selected glyphs in the glyphsheet according to the selected glyph configuration.
17. The computer program product of
|
1. Field of the Invention
The field of the invention is data processing, or, more specifically, methods, systems, and products for glyphword-based security.
2. Description of Related Art
There are many forms of security systems providing authentication and authorization to grant or deny access to resources. Such conventional security systems often include a challenge and response, implemented for example, by prompting a user for a password and a user entering their password. Passwords may be implemented as a collection of characters, symbols or pictures. If the correct password is received in response to a challenge in such systems, then the user is granted access to the resource. The problem with such challenge response based systems is that they are subject to someone viewing or video recording the characters, symbols, or pictures of the password as a user enters the response to the challenge. There is therefore an ongoing need for improvement in security systems.
Methods, systems, and computer program products are provided for glyphword-based security. Embodiments include establishing a glyphword comprising a plurality of glyphs; and creating a plurality of glyphsheets wherein each glyphsheet includes one or more glyphs included in the established glyphword and one or more glyphs not included in the established glyphword; and for each glyphsheet: presenting to a user the glyphsheet; receiving from the user at least one selection of a glyph included in the glyphsheet; determining whether the glyphsheet is the last glyphsheet if the glyph selected by the user is not included in the glyphs of the glyphword; and providing access to a resource if the glyphsheet is the last glyphsheet.
The foregoing and other objects, features and advantages of the invention will be apparent from the following more particular descriptions of exemplary embodiments of the invention as illustrated in the accompanying drawings wherein like reference numbers generally represent like parts of exemplary embodiments of the invention.
Exemplary methods, systems, and products for glyphword-based security according to embodiments of the present invention are described with reference to the accompanying drawings, beginning with
Each of the devices (106, 108, 112, 104, 110, 126, and 128) are capable of supporting a glyph-based security module, computer program instructions capable of establishing a glyphword comprising a plurality of glyphs; creating a plurality of glyphsheets wherein each glyphsheet includes one or more glyphs included in the established glyphword and one or more glyphs not included in the established glyphword; and for each glyphsheet: presenting to a user the glyphsheet; receiving from the user at least one selection of a glyph on the glyphsheet; determining whether the glyphsheet is the last glyphsheet if the glyph selected by the user is not included in the glyphs of the glyphword; and providing access to a resource if the glyphsheet is the last glyphsheet. Glyphword-based security modules according to the present invention may be used to provide security for resources such as computers, individual files or resources stored on computers, networks, or any other resources as will occur to those of skill in the art.
A glyph is a symbolic figure or character that stands for an element in a glyphword. A glyphword is a collection of glyphs defining a password for a user, a process, or a resource. A glyphsheet is a collection of glyphs, often implemented as a matrix of glyphs. Glyphsheets typically include one or more glyphs included in the established glyphword and one or more glyphs not included in the established glyphword. To gain access to a resource a user is required to select glyphs from each presented glyphsheet that are not included in the glyphword governing access to the resource. Requiring a user to select glyphs not included in the glyphword advantageously makes it difficult for would-be intruders to determine the glyphword by monitoring the user's logging into through glyphsheets.
The arrangement of servers and other devices making up the exemplary system illustrated in
Glyphword-based security in accordance with the present invention is generally implemented with computers, that is, with automated computing machinery. In the system of
Stored in RAM (168) is a glyphword-based security module (210) capable of glyphword-based security according to the present invention. The glyphword-based security module (210) comprises computer program instructions for establishing a glyphword comprising a plurality of glyphs; creating a plurality of glyphsheets wherein each glyphsheet includes one or more glyphs included in the established glyphword and one or more glyphs not included in the established glyphword; and for each glyphsheet: presenting to a user the glyphsheet; receiving from the user at least one selection of a glyph on the glyphsheet; determining whether the glyphsheet is the last glyphsheet if the glyph selected by the user is not included in the glyphs of the glyphword; and providing access to a resource if the glyphsheet is the last glyphsheet.
Also stored in RAM (168) is an operating system (154). Operating systems useful in computers according to embodiments of the present invention include UNIX™, Linux™, Microsoft XP™, AIX™, IBM's i5/OS™, and others as will occur to those of skill in the art. Operating system (154) and glyphword-based security module (210) in the example of
Computer (152) of
The example computer of
The exemplary computer (152) of
For further explanation,
Establishing (302) a glyphword (304) comprising a plurality of glyphs may be carried out by presenting a user with a selection of glyphs and receiving from the user a plurality of selections of glyphs comprising the glyphword. Presenting a user with a selection of glyphs and receiving from the user a plurality of selections of glyphs comprising the glyphword may be carried out through the user of a graphical user interface (‘GUI’). For further explanation, therefore,
In the example of
The glyphs presented in the exemplary glyph establishment page of
Furthermore, the number of glyphs presented in the exemplary glyph establishment page of
Again with reference to
The exemplary glyphs presented in the exemplary glyphsheet (500) of
Again with reference to
As will occur to those of skill in the art, number of glyphsheets presented to a user and the number of glyphs contained in each glyphsheet may vary according to a number factors. As the number of glyphsheets presented to a user increases, the likelihood of security failure decreases. Furthermore, as the number of glyphs in each glyphsheet increase, the likelihood of would-be intruders identifying glyphs in a glyphword my monitoring a user also decreases. For this reason, the number of glyphsheets and the configuration defining the number of glyphs in each glyphsheet may be implemented as configurable parameters appropriate for the level of security desired.
Consider for example, with a glyphword containing 8 glyphs, and a glyphsheet implemented as a 3×3 matrix of glyphs having 7 of 9 glyphs not contained in the glyphword, the probability of a would-be intruder guessing the glyphword when presented with 8 such glyphsheets is calculated as: (1−7/9)^8=0.000005 or 1 in 168,151. Furthermore, with a glyphword of 16 glyphs and a glyphsheet implemented as a 9×9 matrix of glyphs with 50 of 81 glyphs not in the glyphword, the probability of a would-be intruder guessing the glyphword when presented with 16 such glyphsheets is calculated as: (1−50/81)^16=0.0000002 or 1 in 4,720,339. Even further, with a glyphword of 12 glyphs and a glyphsheet including a 4×4 matrix of glyphs, with 12 of 16 of the glyphs not in the glyphword the probability of a would-be intruder guessing the glyphword when presented with 12 such glyphsheets is calculated as: 1−12/15)^12=0.00000000596 or 1 in 16,777,216.
For further security, some glyphsheets that are inactive may be presented with active glyphsheets. An active glyphsheet includes glyphsheets having glyphs in the glyphword and therefore may act to deny access to the resource. An inactive glyphsheet contains no glyphs in the glyphword and therefore cannot act to deny access to the resource, but may act to reduce the possibility of would-be intruders identifying the glyphword by monitoring a user. The inactive glyphsheets without peril (the glyphsheets that do not contain glyphs of the glyphword) do not count towards authentication. For example, a user may be presented with 12 glyphsheets, 8 of which are active and four of which are active. The inactive glyphsheets are presented with the intention of throwing off frequency analysis in case of would-be intruders monitoring the activities of a user and to increase the chances against someone determining the length of the glyphword chosen. An authorized user will select glyphs not in the glyphword when presented both inactive and active glyphsheets until the user is provided access to the resource.
The timing of glyphsheet presentation may also be configurable and in some embodiments a user may be presented with more glyphsheets than selections received in response to those glyphsheets. That is, in such embodiments, different glyphsheets are periodically presented and when a user has selected a predetermined number of glyphs not in the glyphword in response to predetermined number of glyphsheets regardless of how many glyphsheets are actually presented, access to the resource is provided. Automatically presenting glyphsheets until access is determined may additionally function as a screen saver.
The number of glyphsheets presented to a user and the configuration of such glyphsheets will therefore vary according to factors such as the degree of security desired, the burden of creating and presenting glyphsheets, and others as will occur to those of skill in the art and such factors governing the number of glyphsheets presented may be configurable by a system administrator.
Each created glyphsheet is not required to have the same configuration. For example, a series of glyphsheets may contain different configurations, each glyphsheet having different numbers of glyphs and different ratios of glyphs in the glyphword and glyphs not in the glyphword. Such glyphsheet creation may be defined by rules for statistically reducing the possibility intrusion. In such cases authorized users may be presented with persistently glyphsheets containing fewer glyphs over the long term such as over several future authentication attempts. When a user is denied access due to selecting a glyph in the glyphword, the user may then be presented with glyphsheets with more glyphs. This way of glyphsheet creation allows for long term protection against recording systems and short term protection against illegal access attempts by adaptively modifying the glyph frequency distribution to suit the situation.
After creating (305) a plurality of glyphsheets (308), the method of
The method of
The method of
The method of
Exemplary embodiments of the present invention are described largely in the context of a fully functional computer system for glyphword-based security. Readers of skill in the art will recognize, however, that the present invention also may be embodied in a computer program product disposed on signal bearing media for use with any suitable data processing system. Such signal bearing media may be transmission media or recordable media for machine-readable information, including magnetic media, optical media, or other suitable media. Examples of recordable media include magnetic disks in hard drives or diskettes, compact disks for optical drives, magnetic tape, and others as will occur to those of skill in the art. Examples of transmission media include telephone networks for voice communications and digital data communications networks such as, for example, Ethernets™ and networks that communicate with the Internet Protocol and the World Wide Web. Persons skilled in the art will immediately recognize that any computer system having suitable programming means will be capable of executing the steps of the method of the invention as embodied in a program product. Persons skilled in the art will recognize immediately that, although some of the exemplary embodiments described in this specification are oriented to software installed and executing on computer hardware, nevertheless, alternative embodiments implemented as firmware or as hardware are well within the scope of the present invention.
It will be understood from the foregoing description that modifications and changes may be made in various embodiments of the present invention without departing from its true spirit. The descriptions in this specification are for purposes of illustration only and are not to be construed in a limiting sense. The scope of the present invention is limited only by the language of the following claims.
Dayan, Richard A., Kekessie, Kofi, Jennings, Jeffrey B.
Patent | Priority | Assignee | Title |
Patent | Priority | Assignee | Title |
4610025, | Jun 22 1984 | ASSOCIATED INVESTMENT COMPANY VENTURES, INC , 5801 TROWBRIDGE, EL PASO, TEXAS 79925 A TEXAS CORP | Cryptographic analysis system |
5428349, | Oct 01 1992 | Next Access Technologies, LLC | Nondisclosing password entry system |
6223289, | Apr 20 1998 | Oracle America, Inc | Method and apparatus for session management and user authentication |
6552727, | Mar 27 1998 | Microsoft Technology Licensing, LLC | Method for authoring hints for a font using a graphical user interface |
20040250138, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Aug 09 2006 | JENNINGS, JEFFREY B | International Business Machines Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 018536 | /0069 | |
Aug 09 2006 | KEKESSIE, KOFI | International Business Machines Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 018536 | /0069 | |
Aug 11 2006 | DAYAN, RICHARD A | International Business Machines Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 018536 | /0069 | |
Aug 14 2006 | International Business Machines Corporation | (assignment on the face of the patent) | / |
Date | Maintenance Fee Events |
Mar 07 2014 | REM: Maintenance Fee Reminder Mailed. |
Jul 11 2014 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Jul 11 2014 | M1554: Surcharge for Late Payment, Large Entity. |
Mar 12 2018 | REM: Maintenance Fee Reminder Mailed. |
Sep 03 2018 | EXP: Patent Expired for Failure to Pay Maintenance Fees. |
Date | Maintenance Schedule |
Jul 27 2013 | 4 years fee payment window open |
Jan 27 2014 | 6 months grace period start (w surcharge) |
Jul 27 2014 | patent expiry (for year 4) |
Jul 27 2016 | 2 years to revive unintentionally abandoned end. (for year 4) |
Jul 27 2017 | 8 years fee payment window open |
Jan 27 2018 | 6 months grace period start (w surcharge) |
Jul 27 2018 | patent expiry (for year 8) |
Jul 27 2020 | 2 years to revive unintentionally abandoned end. (for year 8) |
Jul 27 2021 | 12 years fee payment window open |
Jan 27 2022 | 6 months grace period start (w surcharge) |
Jul 27 2022 | patent expiry (for year 12) |
Jul 27 2024 | 2 years to revive unintentionally abandoned end. (for year 12) |